Roles and Policies


Course Introduction
AWS Migration Hub
AWS Migration Hub
AWS Server Migration Services
Course Summary

The course is part of these learning paths

Start course

In this course we will learn to recognize and explain the migration services available from AWS and AWS partners, and how to run a migration using the AWS Server Migration Service. This course is a blend of instructional learning and demonstration. In this course we cover the following topics:

  • The AWS Migration Hub - which provides a simple way to manage migration of severs and applications.
  • The AWS Discovery Services -we explore the AWS Discovery Connector and the Discovery Agent which enable us to audit and quantify a migration project. 
  • The AWS Server Migration Service - which provides a way to manage migrating vmware and HyperV virtual machines to the AWS Cloud. 

Learning Objectives

In this course, we will learn to apply and use the migration services available from AWS.
First, we will explore the AWS Migration Hub service - which provides a simple way to discover, track and manage the migration of servers and applications.
Then we will learn to use and apply the AWS Application Discovery Service - which provides a way to discover and audit applications and servers running in both hardware and virtualized environments.
Following that we will apply and use the AWS Server Migration Service within the migration hub to manage migrating virtual machines from an on-premise or datacenter environment to the AWS public cloud.

Intended Audience

This course is suited to anyone running or involved in a cloud migration project. As a pre-requisite, I recommend completing our “Getting Started with Cloud Migration” course first so you have some understanding of migration projects and the benefits of the migration services to a cloud migration project.


I recommend completing our Getting Started with Migrating to the Cloud course prior to this course so you understand the basic concepts and benefits of cloud migrations. If you are new to Cloud Computing, I'd recommend completing our What is Cloud Computing? course first so you have an understanding of cloud computing concepts. 


If you have thoughts or suggestions for this course, please contact Cloud Academy at


- [Instructor] Okay, let's talk about authentication and roles. So the Migration Hub console provides an integrated environment for users and APIs to create Migration Hub resources and to manage migrations, okay? So the console provides many features and workflows that require specific permissions in order for them to access those resources. So the best way to implement these permissions is through managed policies. You need to set up the correct roles and permissions to run the service.

Next, you need to define a trust policy that authorizes the migration tool and this example shows a permissions policy to use for the AWS Migration Hub console and API so we want to be able to associate create artifact, notify application state, and list discovered resources. And in this example, the AWS migration service is to assume that role so we're gonna allow and the action is AssumeRole. So this policy is implemented in two parts, the permission policy and the trust policy.

The permission policy grants permissions to the Migration Hub actions which is the AssociateCreateArtifact, NotifyApplicationState, and ListDiscoveredResources on any resources identified by the Amazon Resource Name or the ARN for the AWS Database Migration Service or tool. So the word count character specified at the end of the resource name means that the migration tool can act on any migration task the tool creates under the particular ProgressUpdateStreamName. So the trust policy authorizes the Database Migration Service migration tool to assume the role's permission policy and the Migration Hub policy always require a trust policy to be associated with them. So the permissions required to use the Migration Hub Console and API look a bit like this.

So the first is AWSMigrationHubDiscoveryAccess which grants permission to allow the Migration Hub service to call Application Discovery Service. AWSMigrationHubFullAccess grants access to the Migration Hub console and the API/CLI for a user who's not an administrator. Now the AWSMigrationHubSMSAccess grants permissions for Migration Hub to receive notifications from the Server Migration Service migration tool so you need that one if you're using the Server Migration Service. The AWSMigrationHubDMSAccess grants permission for Migration Hub to receive notifications from the AWS Database Migration Service migration tool.

So let's talk about the trust policies required. A trust policy simply authorizes the principal to assume or use the role's permission policy and a principal can use the AWS account or the root user, an IAM user or a role. So in the Migration Hub, the trust policy must be manually added to the permission policy. So each IAM role you use for Migration Hub requires two separate policies that must be created for it, first a permissions policy which defines what actions and resources the principal is allowed to use and second a trust policy which specifies who is allowed to assume that role, the trust entity or the principal, whatever the case may be, okay? So a permissions policy and a trust policy, you need to create those first before you start using the Migration Hub.

About the Author
Learning Paths

Andrew is fanatical about helping business teams gain the maximum ROI possible from adopting, using, and optimizing Public Cloud Services. Having built  70+ Cloud Academy courses, Andrew has helped over 50,000 students master cloud computing by sharing the skills and experiences he gained during 20+  years leading digital teams in code and consulting. Before joining Cloud Academy, Andrew worked for AWS and for AWS technology partners Ooyala and Adobe.